Howard Chu wrote:
Ludovic Poitou wrote:
Howard,
Our security expert at Sun consider that the attack could be applied to LDAP, although it will be more complex to achieve for all the good reasons you've outline (session-oriented, with explicit authentication attached to a session, and is a record-oriented ASN.1 encoded protocol with precisely defined message structure). The renegotiation in the attack is as far as I understand, driven by the man in the middle, and so even though OpenLDAP slapd never request the renegociation, it is still subject to the attack.
Hi Ludo, thanks for the note. Kurt and I were discussing this offline and he has suggested a possible attack as well. I'm still not convinced of the details but we'll continue to investigate.
Wondering if we (ApacheDS) can be a possible target, assuming that we are Java based. Any idea ?